
Table of contents
The true battlefield of digital signature
When a company implements electronic signature, it usually focuses on the visual experience: the finger stroke on a tablet screen or the click on a web button. However, the true value of a signature solution is not measured at the moment of contract celebration, but months or years later, when a conflict arises and the signatory denies having authorised the document.
Before a court, a PDF file that simply shows a digitised image of a handwritten signature may lack sufficient solidity. Any lawyer can challenge it alleging that the image could have been copied and pasted using a photo editor. At that moment, the burden of proof falls on the company, which must irrefutably demonstrate who signed, exactly what they signed and at what precise moment it occurred.
The only technical and legal tool capable of neutralising a challenge and providing absolute judicial protection is the Evidence Document, known internationally in technology audits as Audit Trail.
What is an Audit Trail and what information must it contain?
The Evidence Document is an independent PDF certificate automatically generated by the signature platform, acting as a digital trusted third party. This document acts as a “black box” that chronologically records each milestone in the transaction lifecycle.
For an Audit Trail to be admitted with full guarantees by a forensic IT expert or a judge under the European eIDAS Regulation, it must compulsorily compile the following technical metadata:
1. Unique identifiers and traceability of participants
It must reflect email addresses, names entered in the system and, where applicable, signatories’ mobile phone numbers. It also records the public IP address and user agent (browser type, operating system and device) from which the document was accessed, applying the Bring Your Own Device (BYOD) strategy.
2. Immutable timestamps and process logs
The report details the exact second the contract was generated, the moment the notification was sent, when the user clicked to read the clauses and the precise instant they applied their consent. These timestamps must be protected through cryptographic time-stamping that prevents subsequent modification.
3. Document integrity through hash functions
The Audit Trail associates the signing process with the unique hash function (SHA-256) of the original PDF file. This mathematical digital fingerprint guarantees that the contract text has not suffered alterations or manipulation since the moment the customer gave their consent.
4. Authentication evidence according to signature modality
The certificate records the technological mechanism used to collect the user’s will, adapting to the operational needs of each company procedure:
- It records clicks and acceptance in the web environment if simple electronic signature was used to maximise speed and conversion of sign-ups or everyday quotes.
- It strictly stores the telecommunications operator delivery record and the one-time numeric PIN code used if advanced electronic signature with OTP was used to protect high-risk contracts.
Cryptographic sealing: The lock on the evidence
Having a list of technical data is not enough if the Evidence Document itself could be edited. Therefore, trusted infrastructure platforms apply a qualified electronic seal to the Audit Trail file itself.
This seal, backed by a certification authority digital certificate, definitively locks the evidence document. If someone attempted to modify an IP address or a timestamp in the report to simulate a false signature, the cryptographic seal would break immediately, alerting to manipulation. While intact, the Audit Trail becomes robust, neutral and independent documentary proof.
Frequently asked questions (FAQs)
Is the Evidence Document sent to the end customer?
It depends on company configuration. The usual practice is for the Audit Trail to be kept in the organisation’s internal systems (ERP or CRM) integrated via API through webhooks, reserved for the legal department in case of dispute, although it can also be sent to the customer together with their copy of the signed contract to guarantee total transparency.
What is the difference between the validity of the contract and that of the Audit Trail?
The contract is the substantive agreement governing the commercial relationship between the parties. The Audit Trail is the procedural proof that scientifically demonstrates that said contract was read and signed by the indicated person under the exact stipulated terms, preventing the signatory from arguing ignorance or impersonation.
How long must these evidence documents be kept?
The legal recommendation is to keep the Audit Trail together with the contract throughout the agreement’s validity period and, mandatorily, until the legal or tax liabilities associated with the transaction prescribe (generally a minimum of 5 to 15 years depending on jurisdiction).
Conclusion
Legal security in the corporate digital environment cannot be based on mutual trust or weak visual marks on a PDF file. In the face of a claim for non-payment, withdrawal or contractual breach, business solidity depends on the technical quality of stored evidence.
Implementing electronic signature solutions that automatically generate a cryptographically protected Evidence Document or Audit Trail provides companies with the operational peace of mind necessary to scale. The organisation minimises litigation risks, eradicates the costs of manual verification processes and has an incontestable legal defence ready to be activated before any judge.
Ready to get started?
Contact us to share your business project or register now to start trying our services today
